Closed starnightcyber closed 2 years ago
Two Stored-XSS reported #427(title section) and #435 (content section) I found another Stored-XSS lie in Name filed in the same page (monstra-3.0.4/plugins/box/pages/pages.admin.php)
Steps to reproduce: 1、Login monstra http://127.0.0.1/monstra-3.0.4/admin/index.php 2、Then, visit http://127.0.0.1/monstra-3.0.4/admin/index.php?id=pages 3、Click Create New Page button to create a new page 4、Fill in Name field with payload <script>alert(document.cookie)</script> 5、Save and Exit 6、visit the page you just created, then Stored-XSS will be triggered
<script>alert(document.cookie)</script>
Impacts: Anyone who visit the target page will trigger JavaScript code execution, including administrator, editor, and guest.
Affected Version: 3.0.4 or before
Affected URL: http:///monstra/blog/.php
Testing Environment: Win7 with XAMPP: Apache/2.4.23 、 PHP Version 5.6.28
Analysis vulnerable page : https://github.com/monstra-cms/monstra/blob/dev/plugins/box/pages/pages.admin.php line 222-233 all post data without any sanitization, just add and display Add page and edit page are vulnerable.
Mitigation: Filter user input ,please refer #427
Two Stored-XSS reported #427(title section) and #435 (content section) I found another Stored-XSS lie in Name filed in the same page (monstra-3.0.4/plugins/box/pages/pages.admin.php)
Steps to reproduce: 1、Login monstra http://127.0.0.1/monstra-3.0.4/admin/index.php 2、Then, visit http://127.0.0.1/monstra-3.0.4/admin/index.php?id=pages 3、Click Create New Page button to create a new page 4、Fill in Name field with payload
<script>alert(document.cookie)</script>5、Save and Exit 6、visit the page you just created, then Stored-XSS will be triggeredImpacts: Anyone who visit the target page will trigger JavaScript code execution, including administrator, editor, and guest.
Affected Version: 3.0.4 or before
Affected URL: http:///monstra/blog/.php
Testing Environment: Win7 with XAMPP: Apache/2.4.23 、 PHP Version 5.6.28
Analysis vulnerable page : https://github.com/monstra-cms/monstra/blob/dev/plugins/box/pages/pages.admin.php line 222-233 all post data without any sanitization, just add and display Add page and edit page are vulnerable.
Mitigation: Filter user input ,please refer #427